📰 Phishing Campaign Abuses Legitimate SimpleHelp RMM Tool via Fake DHL 'Shipment Arrived' Emails

⚠️ Phishing Alert: Fake DHL 'shipment arrived' emails are dropping a malicious installer for the SimpleHelp RMM tool, giving attackers a backdoor into victim networks. Be cautious with attachments! 📦 #Phishing #Malware #SimpleHelp #RMM

🔗 https://cyber.netsecops.io/articles/phishing-campaign-abuses-simplehelp-rmm-tool-via-fake-dhl-emails/?utm_source=mastodon&utm_medium=soc…

Deutsche Sprache zu kompliziert für #Cybercrime: In der Vergangenheit fungierte wohl die deutsche Sprache (die nebenbei gesagt als eine der kompliziertesten Sprachen der Welt gilt) als eine Art natürlicher Schutzschild gegen internationale Cyber-Banden, da viele #Phishing-Versuche und Erpresserschreiben aufgrund mangelhafter Grammatik und Lokalisierung frühzeitig erkannt wurden. Dieser "Vorteil" ist im Zeitalter der generativen #KI laut einem Report endgültig Geschichte:

https://www.it-daily.net/shortnews/cyberangriffe-deutschland-platz-eins

First time seeing
#Zoom
docs as an initial #phishing page:

https://docs. zoom\ .us/doc/3eF1mlIOSiK7vIdLWpjEAw?from=email -> https://corporationusarydersysteminccapital \.mcpcjiinc\ .vu/

#QR codes can act as an initial vector for #phishing and other web-based attacks, redirecting users to malicious endpoints without prior verification 📲

In a recent #WDRLokalzeit OWL feature, researchers from @uni_paderborn presented #TLSScanner, an #opensource tool for automated assessment of #TLS configurations and web endpoint security, helping reduce users’ exposure to compromised services.

🎬 Watch the full segment (minutes 14–20, in German) to learn more: https://www.ardmediathek.de/video/lokalzeit-owl/wdr-lokalzeit-owl-oder-05-03-2026/wdr-bielefeld/Y3JpZDovL3dkci5kZS9CZWl0cmFnLXNvcGhvcmEtNzRlZTE3MGQtYWRkNS00ZWNjLTk1ZTQtM2E0Njg0YjBhMmQy

Takes Aim at the Ransomware Throne

In February 2025, BlackBasta ransomware operations ceased after their internal chat logs were leaked online, leading to disbandment. However, former affiliates continued launching attacks using different ransomware families, including the relatively unknown Payouts King group that emerged in April 2025. ThreatLabz has observed continued ransomware activity consistent with former BlackBasta initial access brokers since early 2026, utilizing similar tactics including spam bombing, Microsoft Teams phishing, and Quick Assist abuse. Payouts King implements sophisticated evasion techniques including stack-based string obfuscation, API hashing, and direct system calls to terminate security processes. The ransomware leverages 4,096-bit RSA and 256-bit AES counter mode encryption, selectively encrypting files while targeting security software and employing anti-forensics techniques like shadow copy deletion and event log clearing.

Pulse ID: 69e1f1296b63ec46a94782ce
Pulse Link: https://otx.alienvault.com/pulse/69e1f1296b63ec46a94782ce
Pulse Author: AlienVault
Created: 2026-04-17 08:36:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Encryption #ICS #InfoSec #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #Phishing #RAT #RansomWare #Spam #ThreatLabz #bot #AlienVault

[Translation] How a “dream job invitation” turns into an attack

It all starts with a notification that feels familiar and exciting for any developer: “You’ve been shortlisted for an AI developer position.” The company looks impressive — DLMind, an “AI innovation lab.” The recruiter appears legitimate — Tim Morenc, CEDS, with a polished LinkedIn profile, professional communication style, and mutual connections.

But behind this friendly outreach is BeaverTail — a malicious operation designed to steal your code, credentials, and developer assets.

The attack is part of a broader pattern associated with North Korean cyber operations, including groups such as Lazarus Group.

How the attack works

The victim is approached via LinkedIn or similar platforms

A convincing fake company and recruiter profile is used

A “technical assignment” or test task is provided

The task contains malicious code or a compromised dependency

Once executed, it extracts sensitive data such as:

GitHub / Git credentials

SSH keys

API tokens

browser session data

Why it works

The campaign relies on social engineering rather than technical exploitation:

trust in recruitment processes

desire for career opportunities

familiarity of developer workflows (GitHub, npm, Python, etc.)

Key takeaway

Any unsolicited “test assignment” should be treated as potentially hostile code. Execution environments must be isolated, and credentials should never be exposed in evaluation setups.

---

#hashtags
#cybersecurity #infosec #malware #socialengineering #phishing #infostealer #supplychainattack #github #developers #techsecurity #beavertail #lazarusgroup